how to apply ssl certificates to aol server in tcl script?

StackOverflow https://stackoverflow.com/questions/23105602

Question

using https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=3&nav=0,33 I generated "server.csr" to further create public certificate. then i got two encrypted keys. I tried to make changes in the config.tcl accordingly but still the project-open application is pointing to local certificates. particial code of config.tcl in which i made changes as follows:

ns_section ns/server/${server}/module/nsopenssl/sslcontexts
ns_param users "SSL context used for regular user access"
ns_section ns/server/${server}/module/nsopenssl/defaults
ns_param server users
ns_section ns/server/${server}/module/nsopenssl/sslcontext/users
ns_param Role server
ns_param ModuleDir ${serverroot}/etc/certs/
ns_param CertFile newcert.pem
ns_param KeyFile keyfile.pem
ns_param CADir ca
ns_param CAFile shipo_cert.txt
ns_param Protocols "SSLv2, SSLv3, TLSv1"
ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param PeerVerify false
ns_param PeerVerifyDepth 3
ns_param Trace false

shipo_cert.txt is the certificate provided along with one more certificate shipo_interm.txt.

I searched and tried my best but couldn't do it. please help me out in this.

P.S. the project-open instance is already working with self signed certificate using openssl. but my organization wants it to run with the certificates they are providing

Was it helpful?

Solution 

DF > Have you packed your private key and the signed public key,
DF > together with the CA keychain, into a .p12 file yet? 
Victor > how to do that? please guide me through

This has been answered previously at Adding an intermediate certificates to a pkcs12 file in JBoss.

Assuming you have a certificate and private key for example.com:

openssl pkcs12 -export -in www-example-com.crt -inkey www.example.key -out www-example-com.p12

Be sure your certificate (www-example-com.crt above) has all the intermediate certificates required to build a valid chain; and not just the server's certificate. That means www-example-com.crt will have multiple PEM entries.

Test it with the following. ca.pem is your CA's root certificate.

echo -e "GET / HTTP/1.0\r\n" | openssl s_client -connect example.com:443 -CAfile ca.pem

You should finish with Verify return code: 0 (ok).

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top